How to effectively test and locate application security holes?

Asked

Viewed 1,410 times

4

I am facing a serious problem with hackers and/ or crackers on the site developed for a city hall. I did tests with SQL MAP on every page of the website. I tested the ftp lock, searched for injected files inside the site, searched for viruses, Malwares and backdoors and so far nothing...

Then I came up with this question, how to test the application effectively and locate the security flaws related exclusively to the application?

I think that in order to not get so wide the question could be focused only in relation to the WEB environment... if the person who answers the question thinks it can cover all the content it will be very welcome too :D

I would also like it to be possible for the answer to be very generic and to apply to any form of development (within the limitations of languages)

Information on the application:
Language: PHP
Database: Mysql Database: Mysql
Connections: mysql_connect (not my fault)

Focus of Attack: Database

Common problems
Script injection for page redirection
Image injection into news and highlights
File injection for backdoor

Items that do not cause problems(no attempts)
Attacks of Dos
Attacks by Brute-Force

Corrections in first instance
Exchange of database credentials
Administrator password exchange (current hash -> df8bce1285196dddc104c22f15665dac)

I had already asked What the code below (written by a Cracker) does? and had posted the code of one of the files that were already injected into the site...

I scanned the ftp and made sure that there is no malicious file inside it...

All gets and posts are validated as follows

if(isset($_GET['t'])){
    $ids = (int)mysql_real_escape_string($_GET['t']);
    if(!is_numeric($ids)){
        $ids = '1';
    }   
} else {
    $ids = '1'; 
}
  • 1

    So give more information about your problem, your structure, etc.

  • @bigown in this case, I’m not sure what information is needed to evaluate(I’d like it to be as generic as possible) if you can help me by telling me what information is most vital to be able to answer

  • What exactly happened? The application is written in what programming language? You quoted SQL, the attack was in the database?

  • @Andrey added the question

  • 2

    You’re looking in the wrong place. Read more about safety in application in the project OWASP

  • 4

    What exactly are the problems you’re having? The types of vulnerability an application may be exposed to are many and quite diverse, a generic response would be either too superficial or too extensive. If you can’t describe the problem in more detail, at least tell us what problems you have is not facing (e.g.: Dos, session hijacking, identity theft, JS injection, shell injection...). Of course, one cannot be sure that a vulnerability does not exist, but by "symptoms" one can restrict the focus of analysis to its probable causes.

  • Well, if the vulnerability affects the database, you can start by changing the DB credentials and migrating the application layer to PDO/mysqli and start using Prepared statments

  • @gmsantos would be a dream can do this, but for contractual issues and disagreement between the company and the city can not spend the day replacing all connections to prepared statments :'(

  • Rodrigo, this disagreement is like Client: "You who did it or you who took over for free" ?

  • @gmsantos is like "you did it, it’s not our fault if our employees sabotage the system itself"... Obs: the biggest suspicion so far is that it is a fight between the public servers, has happened to another city site

  • We are working to fix the flaws however the site is relatively old, an update of this size requires a lot of time (we do not have staff left for this) and for free will surely not be done...

Show 6 more comments

2 answers

5


According to your description of the most common problems, I would divide the attention on two fronts:

Script injection for page redirection

Image injection into news and highlights

This is a sign that user inputs are not being sanitized properly. But in this case, I’m not referring to properly formatting SQL (something that Prepared statements would help), but rather to correctly escape the HTML.

In a web application there are several points where an input provided by the user is shown back to it as part of a page. Even if this entry is correctly "escaped" when entering into the bank, it does not mean that it is safe to be embedded into a page. For example, there are no invalid SQL characters in the string <script>alert(1);</script>. But if a user has entered that in a text field, which should be included in a results page is &lt;script&gt;alert(1);&lt;/script&gt;

(data to be returned with values of a input are not safe either. Ex.: teste"><img src="foo)

Escape content before sending to bank prevents SQL Injection. To prevent against JS Injection (or HTML Injection) it is also necessary to sanitize the content that exits the bank. I would concentrate my efforts in this sense, because its "symptoms" are not characteristic of a problem in data entry/queries (e.g., information leak), but in the exit of the same.

File injection for backdoor

As far as my knowledge goes, this is not something that can be caused by failures in the bank, but rather in the upload files. A common situation is a website that allows you to upload images, but that only validates the file extension - not its content.

In that case, I don’t have enough knowledge to even make a guess, so I’m gonna abstain from giving an opinion. The presence of a harmful file by itself does not seem enough to install a backdoor (for that would also be necessary some form of shell Injection, but I’m not sure). But I may be quite wrong...


P.S. I don’t believe it’s related to your problem, but when I saw that your system was using mysql_real_escape_string I got the flea behind my ear - although I can’t guarantee anything. I suggest that post on security.SE for more details (read the comments). At first, a correct and consistent use of this function should be good enough, but there are details to consider, for example this one that caught my attention:

I think the commonly misinterpreted aspect is that the values escaped with mysql_real_escape_string are only intended to be used in a literal for Mysql strings. There are common cases where the mysql_real_escape_string is used for data that is not placed in a literal for strings, but for something else, like an identifier, a keyword, a literal for integers, etc.

In his example specific I don’t see this as a problem - because after using this function you still convert to int and check if it’s numerical, then as far as I know (Disclaimer: I have no experience with PHP) the vulnerability is not there. Anyway, check if there are other uses for this function that may present problems.

  • +1 Only the AP will be able to tell us if this was really the problem, but I think you killed the riddle.

  • In fact only the tests will be able to answer xD

  • I do not know pq, but I had not yet thought to treat the outputs too, if the script does not work it becomes useless, it may not solve, but at least it makes it a little more difficult for the invader...

3

If you have no idea which exploit is being used, starting at the lowest level layer: the database.

  • Identify the patterns. 'Invasions' always happen at the same time? Is there any similar content among the records that are affected? The source IP is always the same?
  • Make a Cleanup on the bank based on the patterns found. (Beware of false positives.)
  • Create triggers that prevent the recording in the database of records that match the patterns found. Create a specific error code for this Trigger.
  • Monitor your application and log all pages where a call to the bank generated the error code you created.
  • Locate, on the affected pages, the fragile points used by exploit, and eliminate them.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.